[cap-talk] Concening entry "ambient authority" in Wikipedia
Rob Meijer
capibara at xs4all.nl
Wed Jun 10 18:19:23 EDT 2009
On Wed, June 10, 2009 23:02, David-Sarah Hopwood wrote:
>
> However, an instance of a Unix system that is not *in fact* intercepting
> kernel calls in such a way as to implement capability rules -- even if the
> facilities to do so are in principle available -- is not a capability
> system, and in that case its authorities are not being accessed via
> capabilities.
>
Clear, a UNIX system not using ptrace or some LSM is not a capability and
a UNIX system that completely does and everywhere follows capability rules
is.
But how about the gray area where a relatively basic UNIX/Linux
distribution is run for the most part running all the basic processes
that come with most UNIX systems run without regard to capability rules,
but ONLY server processes and related processes are confined to capability
rules by
that available facility?
In other words, when starting with a GP OS like Linux or windows, combined
with hooks like ptrace or LSM, what would be the minimum setup for such a
system for us to legitimately call it a capability system? How much GP OS
processes do we allow to become part of our TCB, and how small do we allow
our capability rules enforced subsystems to become before we can strongly
state that that GP OS, while providing this used facility to the
particular subsystem does not constitute a capability system?
Rob
More information about the cap-talk
mailing list